Alpine: multiple sox packages: security update to 14.4.2-r10

critical Tenable Cloud Security Plugin ID 407172

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A heap-based buffer overflow vulnerability exists in the sphere.c start_read() functionality of Sound
Exchange libsox 14.4.2 and master commit 42b3557e. A specially-crafted file can lead to a heap buffer
overflow. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2021-40426)

- A flaw was found in sox 14.4.1. The lsx_adpcm_init function within libsox leads to a global-buffer-
overflow. This flaw allows an attacker to input a malicious file, leading to the disclosure of sensitive
information. (CVE-2021-3643)

- A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in
formats_i.c file. The vulnerability is exploitable with a crafted file, that could cause an application to
crash. (CVE-2021-23159)

- A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c
file. An attacker with a crafted wav file, could cause an application to crash. (CVE-2021-33844)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-23159

https://security.alpinelinux.org/vuln/CVE-2021-33844

https://security.alpinelinux.org/vuln/CVE-2021-3643

https://security.alpinelinux.org/vuln/CVE-2021-40426

https://security.alpinelinux.org/vuln/CVE-2022-31650

https://security.alpinelinux.org/vuln/CVE-2022-31651

Plugin Details

Severity: Critical

ID: 407172

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-40426

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-3643

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/14/2022

Reference Information

CVE: CVE-2021-23159, CVE-2021-33844, CVE-2021-3643, CVE-2021-40426, CVE-2022-31650, CVE-2022-31651